263 lines
6.8 KiB
PHP
263 lines
6.8 KiB
PHP
<?php
|
|
namespace um\common;
|
|
|
|
use WP_User;
|
|
|
|
if ( ! defined( 'ABSPATH' ) ) {
|
|
exit;
|
|
}
|
|
|
|
if ( ! class_exists( 'um\common\Secure' ) ) {
|
|
|
|
/**
|
|
* Class Secure
|
|
*
|
|
* @package um\common
|
|
*
|
|
* @since 2.6.8
|
|
*/
|
|
class Secure {
|
|
|
|
public function hooks() {
|
|
add_action( 'wp', array( $this, 'schedule_events' ) );
|
|
add_filter( 'um_get_option_filter__banned_capabilities', array( $this, 'add_default_capabilities' ) );
|
|
}
|
|
|
|
/**
|
|
* Add callbacks to Schedule Events.
|
|
*
|
|
* @since 2.6.8
|
|
*/
|
|
public function schedule_events() {
|
|
if ( ! UM()->options()->get( 'secure_ban_admins_accounts' ) ) {
|
|
return;
|
|
}
|
|
|
|
if ( UM()->options()->get( 'secure_notify_admins_banned_accounts' ) ) {
|
|
$notification_interval = UM()->options()->get( 'secure_notify_admins_banned_accounts__interval' );
|
|
if ( 'instant' === $notification_interval ) {
|
|
return;
|
|
}
|
|
|
|
if ( 'hourly' === $notification_interval ) {
|
|
add_action( 'um_hourly_scheduled_events', array( $this, 'notify_administrators_hourly' ) );
|
|
} elseif ( 'daily' === $notification_interval ) {
|
|
add_action( 'um_daily_scheduled_events', array( $this, 'notify_administrators_daily' ) );
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Notify Administrators hourly - Suspicious activities in an hour
|
|
*
|
|
* @since 2.6.8
|
|
*/
|
|
public function notify_administrators_hourly() {
|
|
$user_ids = get_users(
|
|
array(
|
|
'fields' => 'ids',
|
|
'meta_query' => array(
|
|
'relation' => 'AND',
|
|
array(
|
|
'key' => 'um_user_blocked__timestamp',
|
|
'value' => gmdate( 'Y-m-d H:i:s', strtotime( '-1 hour' ) ),
|
|
'compare' => '>=',
|
|
'type' => 'DATETIME',
|
|
),
|
|
),
|
|
)
|
|
);
|
|
|
|
$this->send_notification( $user_ids );
|
|
}
|
|
|
|
/**
|
|
* Notify Administrators daily - Today's suspicious activity
|
|
*
|
|
* @since 2.6.8
|
|
*/
|
|
public function notify_administrators_daily() {
|
|
$user_ids = get_users(
|
|
array(
|
|
'fields' => 'ids',
|
|
'relation' => 'AND',
|
|
'meta_query' => array(
|
|
'relation' => 'AND',
|
|
array(
|
|
'key' => 'um_user_blocked__timestamp',
|
|
'value' => gmdate( 'Y-m-d H:i:s', strtotime( '-1 day' ) ),
|
|
'compare' => '>=',
|
|
'type' => 'DATE',
|
|
),
|
|
array(
|
|
'key' => 'um_user_blocked__timestamp',
|
|
'value' => gmdate( 'Y-m-d H:i:s' ),
|
|
'compare' => '<=',
|
|
'type' => 'DATE',
|
|
),
|
|
),
|
|
)
|
|
);
|
|
|
|
$this->send_notification( $user_ids );
|
|
}
|
|
|
|
public function send_notification( $user_ids ) {
|
|
$banned_profile_links = '';
|
|
foreach ( $user_ids as $uid ) {
|
|
um_fetch_user( $uid );
|
|
$banned_profile_links .= UM()->user()->get_profile_link( $uid ) . ' ' . UM()->common()->users()->get_status( $uid ) . '<br />';
|
|
}
|
|
um_reset_user();
|
|
|
|
$emails = um_multi_admin_email();
|
|
if ( ! empty( $emails ) ) {
|
|
foreach ( $emails as $email ) {
|
|
UM()->maybe_action_scheduler()->enqueue_async_action(
|
|
'um_dispatch_email',
|
|
array(
|
|
$email,
|
|
'suspicious-activity',
|
|
array(
|
|
'admin' => true,
|
|
'tags' => array(
|
|
'{banned_profile_links}',
|
|
),
|
|
'tags_replace' => array(
|
|
$banned_profile_links,
|
|
),
|
|
),
|
|
)
|
|
);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Get the banned capabilities list.
|
|
*
|
|
* @return array
|
|
*/
|
|
public function get_banned_capabilities_list() {
|
|
/**
|
|
* Filters the banned capabilities for UM Register forms.
|
|
*
|
|
* @param {array} $capabilities WordPress Administrative Capabilities.
|
|
*
|
|
* @return {array} Banned admin capabilities.
|
|
*
|
|
* @since 2.6.8
|
|
* @hook um_secure_register_form_banned_capabilities
|
|
*
|
|
* @example <caption>Added `read` capability as banned.</caption>
|
|
* function my_banned_capabilities( $capabilities ) {
|
|
* $capabilities[] = 'read';
|
|
* return $capabilities;
|
|
* }
|
|
* add_filter( 'um_secure_register_form_banned_capabilities', 'my_banned_capabilities' );
|
|
*/
|
|
$banned_admin_capabilities = apply_filters(
|
|
'um_secure_register_form_banned_capabilities',
|
|
array(
|
|
'create_sites',
|
|
'delete_sites',
|
|
'manage_network',
|
|
'manage_sites',
|
|
'manage_network_users',
|
|
'manage_network_plugins',
|
|
'manage_network_themes',
|
|
'manage_network_options',
|
|
'upgrade_network',
|
|
'setup_network',
|
|
'activate_plugins',
|
|
'edit_dashboard',
|
|
'edit_theme_options',
|
|
'export',
|
|
'import',
|
|
'list_users',
|
|
'remove_users',
|
|
'switch_themes',
|
|
'customize',
|
|
'delete_site',
|
|
'update_core',
|
|
'update_plugins',
|
|
'update_themes',
|
|
'install_plugins',
|
|
'install_themes',
|
|
'delete_themes',
|
|
'delete_plugins',
|
|
'edit_plugins',
|
|
'edit_themes',
|
|
'edit_files',
|
|
'edit_users',
|
|
'add_users',
|
|
'create_users',
|
|
'delete_users',
|
|
'level_10',
|
|
'manage_options',
|
|
'promote_users',
|
|
)
|
|
);
|
|
return $banned_admin_capabilities;
|
|
}
|
|
|
|
/**
|
|
* Revoke Caps & Mark rejected as suspicious
|
|
*
|
|
* @param WP_User $user
|
|
*
|
|
* @since 2.6.8
|
|
*/
|
|
public function revoke_caps( $user ) {
|
|
$user_agent = '';
|
|
if ( isset( $_REQUEST['nonce'], $_REQUEST['action'] ) && 'um_secure_scan_affected_users' === $_REQUEST['action'] && wp_verify_nonce( $_REQUEST['nonce'], 'um-admin-nonce' ) && current_user_can( 'manage_options' ) ) {
|
|
$user_agent = __( 'Ultimate Member Scanner', 'ultimate-member' );
|
|
} elseif ( isset( $_SERVER['HTTP_USER_AGENT'] ) ) {
|
|
$user_agent = sanitize_text_field( wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) );
|
|
}
|
|
|
|
um_fetch_user( $user->ID );
|
|
|
|
// Capture details.
|
|
$captured = array(
|
|
'capabilities' => $user->allcaps,
|
|
'submitted' => ! empty( UM()->form()->post_form ) ? UM()->form()->post_form : '',
|
|
'roles' => $user->roles,
|
|
'user_agent' => $user_agent,
|
|
'account_status' => UM()->common()->users()->get_status( $user->ID ),
|
|
);
|
|
update_user_meta( $user->ID, 'um_user_blocked__metadata', $captured );
|
|
|
|
$user->remove_all_caps();
|
|
$user->update_user_level_from_caps();
|
|
|
|
// Force update of the user status without email notifications.
|
|
if ( is_user_logged_in() ) {
|
|
UM()->common()->users()->set_status( $user->ID, 'inactive' );
|
|
} else {
|
|
UM()->common()->users()->set_status( $user->ID, 'rejected' );
|
|
}
|
|
|
|
um_reset_user();
|
|
update_user_meta( $user->ID, 'um_user_blocked', 'suspicious_activity' );
|
|
update_user_meta( $user->ID, 'um_user_blocked__timestamp', current_time( 'mysql', true ) );
|
|
UM()->user()->remove_cache( $user->ID );
|
|
}
|
|
|
|
/**
|
|
* Always add default banned capabilities.
|
|
*
|
|
* @param mixed $option_value
|
|
*
|
|
* @return mixed
|
|
*
|
|
* @since 2.6.8
|
|
*/
|
|
public function add_default_capabilities( $option_value ) {
|
|
if ( is_array( $option_value ) ) {
|
|
$option_value = array_merge( $option_value, UM()->options()->get_default( 'banned_capabilities' ) );
|
|
}
|
|
return $option_value;
|
|
}
|
|
}
|
|
}
|